Non classé by Jean-Marie Renouard

Open Source Audit plugins from MySQL 5.7/MySQL 8.0

Conclusion first

MySQL Oracle since 5.7.33 doesn’t get any open source auditing solution

https://forums.mysql.com/read.php?132,696220,703716

I have tried several options:

  • Binary lib MAriaDB plugin server_audit into lib/mysql/plugin (MySQL Server don’t start)
  • Compilation of AWS Audit plugin (Code missing code files)
  • Compilation of MariaDB plugin server_audit from MySQL code source (API failure)
  • Compilation of Percona plugin from MySQL code source (API failure)
  • MacAffee Plugins (getting a lot of errors and warnings message in error log)

Create a VirtualBox with Vagrant

Useful links

  • https://app.vagrantup.com/centos/boxes/7
  • https://www.vagrantup.com/
  • https://www.virtualbox.org/

Creating a Centos/7 virtual server 

<code>$ vagrant init centos/7
...

$ vagrant up
...

$ vagrant ssh</code>

Prepare Virtual machine for MySQL 5.7

<code>$ sudo yum -y update

$ sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 

$ sudo yum localinstall https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm</code>

$ sudo poweroff

Install compilation environment

$ sudo yum group install -y 'Development Tools'
...
$ sudo yum install -y cmake ncurses-devel curl openssl-devel
...

Download MySQL 5.7.40 source code

$ mkdir mysql
$ cd mysql
$ curl -Ovk https://cdn.mysql.com/Downloads/MySQL-5.7/v
$ mkdir build
$tar xzf mysql-5.7.40.tar.gz
$ cd mysql-5.7.40

Adding code source from MySQL 5.7 AWS audit plugin

https://github.com/aws/audit-plugin-for-mysql/tree/mysql-5.7 
$ git cone https://github.com/aws/audit-plugin-for-mysql.git
$ git checkout -b mysql-5.7
Switched to a new branch 'mysql-5.7'
$ rsync -av plugin/server_audit ../mysql/mysql-5.7.40/plugin/
sending incremental file list
server_audit/
server_audit/CMakeLists.txt
server_audit/COPYING
server_audit/file_logger.cc
server_audit/server_audit.cc
server_audit/service_logger.h

sent 100,421 bytes  received 115 bytes  201,072.00 bytes/sec
total size is 99,984  speedup is 0.99
 
Compile source MySQL code source with audit plugin

$ cmake . -DDOWNLOAD_BOOST=1 -DWITH_BOOST=$HOME/boost -DENABLE_DOWNLOADS=1
...
$ make
...

Compile source MySQL code source with audit plugin


$ cmake . -DDOWNLOAD_BOOST=1 -DWITH_BOOST=$HOME/boost -DENABLE_DOWNLOADS=1
...
$ make
...

MariaDB Audit plugin

Idea is downloading last MariaDB 10.6 and grab server_audit.so into MySQL plugin directory

But we are facing since last recent versions, troubles blocking MySQL server starting with this message indicating that

MacAffee MySQL plugin

  • https://blog.pythian.com/auditing-mysql-users-mcafee-plugin/
  • https://github.com/mcafee-enterprise/mysql-audit
  • https://github.com/mcafee-enterprise/mysql-audit/releases/download/v1.1.13/audit-plugin-mysql-5.7-1.1.13-1008-linux-x86_64.zip
  • copy libaudit_plugin.so /usr/lib64/mysql/plugin
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets= 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0
audit_json_file=ON
audit_json_log_file=/var/log/mysql-audit.json
audit_record_cmds='connect,Failed Login,Quit'
plugin-load=AUDIT=libaudit_plugin.so
audit_record_cmds='connect,Quit,Failed Login,show,grant,truncate,drop,alter,trigger,grant,super,process,reload,shutdown,create_user,revoke'

Conclusion first

MySQL Oracle since 5.7.33 doesn’t get any open source auditing solution

https://forums.mysql.com/read.php?132,696220,703716

I have tried several options:

  • Binary lib MAriaDB plugin server_audit into lib/mysql/plugin (MySQL Server don’t start)
  • Compilation of AWS Audit plugin (Code missing code files)
  • Compilation of MariaDB plugin server_audit from MySQL code source (API failure)
  • Compilation of Percona plugin from MySQL code source (API failure)
  • MacAffee Plugins (getting a lot of errors and warnings message in error log)

Create a VirtualBox with Vagrant

Useful links

  • https://app.vagrantup.com/centos/boxes/7
  • https://www.vagrantup.com/
  • https://www.virtualbox.org/

Creating a Centos/7 virtual server 

<code>$ vagrant init centos/7
...

$ vagrant up
...

$ vagrant ssh</code>

Prepare Virtual machine for MySQL 5.7

<code>$ sudo yum -y update

$ sudo rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022 

$ sudo yum localinstall https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm</code>

$ sudo poweroff

Install compilation environment

$ sudo yum group install -y 'Development Tools'
...
$ sudo yum install -y cmake ncurses-devel curl openssl-devel
...

Download MySQL 5.7.40 source code

$ mkdir mysql
$ cd mysql
$ curl -Ovk https://cdn.mysql.com/Downloads/MySQL-5.7/v
$ mkdir build
$tar xzf mysql-5.7.40.tar.gz
$ cd mysql-5.7.40

Adding code source from MySQL 5.7 AWS audit plugin

https://github.com/aws/audit-plugin-for-mysql/tree/mysql-5.7 
$ git cone https://github.com/aws/audit-plugin-for-mysql.git
$ git checkout -b mysql-5.7
Switched to a new branch 'mysql-5.7'
$ rsync -av plugin/server_audit ../mysql/mysql-5.7.40/plugin/
sending incremental file list
server_audit/
server_audit/CMakeLists.txt
server_audit/COPYING
server_audit/file_logger.cc
server_audit/server_audit.cc
server_audit/service_logger.h

sent 100,421 bytes  received 115 bytes  201,072.00 bytes/sec
total size is 99,984  speedup is 0.99
 
Compile source MySQL code source with audit plugin

$ cmake . -DDOWNLOAD_BOOST=1 -DWITH_BOOST=$HOME/boost -DENABLE_DOWNLOADS=1
...
$ make
...

Compile source MySQL code source with audit plugin


$ cmake . -DDOWNLOAD_BOOST=1 -DWITH_BOOST=$HOME/boost -DENABLE_DOWNLOADS=1
...
$ make
...

MariaDB Audit plugin

Idea is downloading last MariaDB 10.6 and grab server_audit.so into MySQL plugin directory

But we are facing since last recent versions, troubles blocking MySQL server starting with this message indicating that

MacAffee MySQL plugin

  • https://blog.pythian.com/auditing-mysql-users-mcafee-plugin/
  • https://github.com/mcafee-enterprise/mysql-audit
  • https://github.com/mcafee-enterprise/mysql-audit/releases/download/v1.1.13/audit-plugin-mysql-5.7-1.1.13-1008-linux-x86_64.zip
  • copy libaudit_plugin.so /usr/lib64/mysql/plugin
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets= 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0
audit_json_file=ON
audit_json_log_file=/var/log/mysql-audit.json
audit_record_cmds='connect,Failed Login,Quit'
plugin-load=AUDIT=libaudit_plugin.so
audit_record_cmds='connect,Quit,Failed Login,show,grant,truncate,drop,alter,trigger,grant,super,process,reload,shutdown,create_user,revoke'

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.